Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

null pointer dereference vulnerability in Segment() #22

Closed
gsharpsh00ter opened this issue Mar 5, 2018 · 7 comments
Closed

null pointer dereference vulnerability in Segment() #22

gsharpsh00ter opened this issue Mar 5, 2018 · 7 comments
Labels
resolved

Comments

@gsharpsh00ter
Copy link

gsharpsh00ter commented Mar 5, 2018
edited

0x01 Description

A null pointer dereference vulnerability was found in Segment.cpp, which may allow attackers to cause a denial of service or possibly have unspecified other impact via a crafted font type file.

0x02 How to reproduce

The issue can be reproduced by the following command:

**gr2fonttest $POCFILE -rtl -j 30 -cache -codes 1000**
Text codes
1000
Segmentation fault

0x03 Cause Analyze

The program failed to verify pointer m_silf in Segment():

gzq@ubuntu:~/fuzz/install/graphite/bin$ gdb -q ./gr2fonttest 
Reading symbols from ./gr2fonttest...done.
(gdb) r poc-libgraphite2-null-pointer-dereference.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Starting program: /home/gzq/fuzz/install/graphite/bin/gr2fonttest poc-libgraphite2-null-pointer-dereference.ttf -rtl -j 30 -cache -bytes 1 -noprint -codes 1000 102f 103f 104f 105f 106f 107f 108f 109f 10af 10bf 10cf 10df 10ef 10ff 2000 2001 2002 2003
Text codes
1000	102f	103f	104f	105f	106f	107f	108f	109f	10af
10bf	10cf	10df	10ef	10ff	2000	2001	2002	2003	

Program received signal SIGSEGV, Segmentation fault.
graphite2::Segment::Segment (this=0x555555846250, numchars=19, face=0x555555842480, script=0, textDir=1) at /home/gzq/fuzz/code/graphite/src/Segment.cpp:57
57	  m_passBits(m_silf->aPassBits() ? -1 : 0),
(gdb) print m_silf
**$1 = (const graphite2::Silf *) 0x0**

(gdb) bt
#0  graphite2::Segment::Segment (this=0x555555846250, numchars=19, face=0x555555842480, script=0, textDir=1) at /home/gzq/fuzz/code/graphite/src/Segment.cpp:57
#1  0x0000555555567ab5 in (anonymous namespace)::makeAndInitialize (dir=1, nChars=19, pStart=0x555555845c70, enc=gr_utf8, pFeats=0x555555845c00, script=<optimized out>, face=0x555555842480, font=0x5555558459d0) at /home/gzq/fuzz/code/graphite/src/gr_segment.cpp:43
#2  gr_make_seg (font=0x5555558459d0, face=0x555555842480, script=<optimized out>, pFeats=0x555555845c00, enc=gr_utf8, pStart=0x555555845c70, nChars=19, dir=1) at /home/gzq/fuzz/code/graphite/src/gr_segment.cpp:105
#3  0x0000555555559bf5 in Parameters::testFileFont (this=0x7fffffffe240) at /home/gzq/fuzz/code/graphite/gr2fonttest/gr2FontTest.cpp:691
#4  0x00005555555565bc in main (argc=29, argv=0x7fffffffe3b8) at /home/gzq/fuzz/code/graphite/gr2fonttest/gr2FontTest.cpp:801
(gdb)

poc-libgraphite2-segment-null-pointer-dereference.zip

0x04 Author
Ziqiang Gu from WeiRan Labs
@tim-eves
Copy link
Contributor

tim-eves commented Mar 5, 2018

Thanks for the bug report but unfortunately I am unable to reproduce the segfault you've described. I tested against Intel 64 bit and 32 bit on both Clang and GCC all release builds, and in all cases we got the expected output:

graphitesrc/build$ ./gr2fonttest/gr2fonttest ../tests/fonts/poc-libgraphite2-segment-null-pointer-dereference.tt  -rtl -j 30 -cache -codes 1000
Text codes
1000	
Invalid font, failed to read or parse tables

Could you please confirm you've tested against the latest release (3.11), and if so, tell me what platform (OS, CPU) and the commit hash of the source used to generate your build of graphite. In addition could you confirm that your build passes make test and tell me what cmake Generator configuration options you have set (e.g. CMAKE_BUILD_TYPE, GRAPHITE2_NTRACING etc see doc/building.txt for a complete list)

Thank you

@gsharpsh00ter
Copy link
Author

Hi tim,

The issue can be reproduced stably on my ubuntu linux box.

Segfault on the latest(3.11):

gzq@ubuntu:~/graphite-1.3.11/build/gr2fonttest$ ./gr2fonttest poc-libgraphite2-segment-null-pointer-dereference.ttf -rtl -j 30 -cache -codes 1000
Text codes
1000	
Segmentation fault

I also tried the master branch code and it gets segfault in the same way

gzq@ubuntu:~/code/graphite$ git log
commit d1881d76c7c7b276a7320d5ebf29539a1aa85b29
Author: Tim Eves <tim-eves@users.noreply.github.com>
Date:   Fri Mar 2 18:58:24 2018 +0700

    Add TeamCIty build status badges

commit 17f26496d49c72029fad6b3d3d7ed7f0c644ba17
Author: Tim Eves <tim_eves@sil.org>
Date:   Fri Mar 2 17:26:49 2018 +0700

    Fix FTBFS on ARM due to intel only gcc flags
    
    -msse and -mfpmath=sse where included on all CPUs when they should have
    been restricted to Intel only.

commit 0218a47ce0ce5d5ef88f71662f00e9e3184b0843
Author: Tim Eves <tim_eves@sil.org>
Date:   Fri Mar 2 15:50:45 2018 +0700

    Fix accidental removal of #include <limits>
    
    From Machine.h

make test shows that all tests passed:

gzq@ubuntu:~/tmp/graphite-1.3.11/build$ make test
Running tests...
Test project /home/gzq/fuzz/tmp/graphite-1.3.11/build
        Start   1: padauk1
  1/116 Test   #1: padauk1 ..........................   Passed    0.01 sec
        Start   2: padauk1Output
  2/116 Test   #2: padauk1Output ....................   Passed    0.02 sec
        Start   3: padauk1Debug
  3/116 Test   #3: padauk1Debug .....................   Passed    0.12 sec
.........
.........
114/116 Test #114: utftest ..........................   Passed    0.00 sec
        Start 115: vm-test-call-threading
115/116 Test #115: vm-test-call-threading ...........   Passed    0.06 sec
        Start 116: vm-test-direct-threading
116/116 Test #116: vm-test-direct-threading .........   Passed    0.10 sec

100% tests passed, 0 tests failed out of 116

Total Test time (real) =   3.15 sec

Hope the following information can help you to reproduce the issue:

Build Commands:

cmake .. -DBUILD_SHARED_LIBS=off
make

OS Release:

gzq@ubuntu:~/install/graphite/bin$ cat /etc/os-release 
NAME="Ubuntu Kylin"
VERSION="16.10 (Yakkety Yak)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu Kylin 16.10"
VERSION_ID="16.10"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="http://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=yakkety
UBUNTU_CODENAME=yakkety

Uname Output:

gzq@ubuntu:~/install/graphite/bin$ uname -a
Linux ubuntu 4.8.0-59-generic #64-Ubuntu SMP Thu Jun 29 19:38:34 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

GCC version:

gzq@ubuntu:~/install/graphite/bin$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/6/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 6.2.0-5ubuntu12' --with-bugurl=file:///usr/share/doc/gcc-6/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-6 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 6.2.0 20161005 (Ubuntu 6.2.0-5ubuntu12)

@gsharpsh00ter
Copy link
Author

have you lost the letter 'f' in the file extension?
graphitesrc/build$ ./gr2fonttest/gr2fonttest ../tests/fonts/poc-libgraphite2-segment-null-pointer-dereference.tt -rtl -j 30 -cache -codes 1000

@tim-eves
Copy link
Contributor

tim-eves commented Mar 6, 2018

You are right, I mistyped the font file name, and I can now reproduce the bug.

@mhosken mhosken added resolved and removed confirmed labels Mar 6, 2018
@mhosken
Copy link
Contributor

mhosken commented Mar 6, 2018

This bug is to do with the gr_face_dumbRendering flag that gr2fonttest sets if you enable -cache. If a font has no silf table and dumbRendering is enabled, it is supposed to carry on and do basic dumb rendering. But it is clear that this has never worked and that therefore nobody is asking for it. The fix, therefore is to deprecate the flag and make it ineffective. Harfbuzz does a much better job of dumb rendering than we would ever do.

Fixed in db132b4

@mhosken
Copy link
Contributor

mhosken commented Mar 8, 2018

The segcache has been removed, thus -cache is no longer valid. Please retest without -cache and reopen this bug if there is still a problem.

@mhosken mhosken closed this as completed Mar 8, 2018
@bh-e
Copy link

bh-e commented Mar 17, 2018

Hi. I tried to reproduce this in Debian wheezy version(1.3.10) with given POC. Unfortunately I am unable to reproduce. Is it affected from 1.3.11? ( though code base is not much different )

@armorcodegithubpreprod armorcodegithubpreprod bot mentioned this issue Mar 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tim-eves @mhosken @bh-e @gsharpsh00ter